diff options
| author | Brian Gianforcaro <b.gianfo@gmail.com> | 2020-11-26 00:16:50 -0800 |
|---|---|---|
| committer | Andreas Kling <kling@serenityos.org> | 2020-11-26 09:48:21 +0100 |
| commit | f0bf723424069a03a5b5f9264e2a88e35cab568d (patch) | |
| tree | 9ee2eacba8e7a061af41c9e856abd9f79b60424c /.github | |
| parent | 922d0759b04e375a523691eae76d6997c0192fe5 (diff) | |
| download | serenity-f0bf723424069a03a5b5f9264e2a88e35cab568d.zip | |
Meta: Enable CodeQL static analysis for Serenity
CodeQL is a static analysis technology that was purchased by GitHub
and has been tightly integrated into the platform. It's different
from most other static analysis solutions because it's based on a
database built from your codebase, and then language specific rules
can be executed against that database. The rules are fully user
extensible, and are written in a datalog/query language.
The default cpp language rules coming from CodeQL will probably find
some issues, the ability to easily write custom rules/queries will
lend it self nicely to allowing us to validate Serenity specific
semantics are followed throughout the code.
References:
- https://www.youtube.com/watch?v=AMzGorD28Ks
- https://securitylab.github.com/tools/codeql
Diffstat (limited to '.github')
| -rw-r--r-- | .github/codeql/config.yml | 8 | ||||
| -rw-r--r-- | .github/workflows/cmake.yml | 11 |
2 files changed, 19 insertions, 0 deletions
diff --git a/.github/codeql/config.yml b/.github/codeql/config.yml new file mode 100644 index 0000000000..71742d9a41 --- /dev/null +++ b/.github/codeql/config.yml @@ -0,0 +1,8 @@ +name: "SerenityOS CodeQL Config" + +queries: + - uses: security-and-quality + - uses: security-extended + +# Documentation for configuring CodeQL is located here: +# https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning diff --git a/.github/workflows/cmake.yml b/.github/workflows/cmake.yml index f3af9ad0c3..9330a08bdb 100644 --- a/.github/workflows/cmake.yml +++ b/.github/workflows/cmake.yml @@ -49,6 +49,7 @@ jobs: key: ${{ runner.os }}-toolchain-${{ hashFiles('Libraries/LibC/**/*.h', 'Toolchain/Patches/*.patch') }} - name: Restore or regenerate Toolchain run: TRY_USE_LOCAL_TOOLCHAIN=y ${{ github.workspace }}/Toolchain/BuildIt.sh + # TODO: ccache # https://cristianadam.eu/20200113/speeding-up-c-plus-plus-github-actions-using-ccache/ # https://github.com/cristianadam/HelloWorld/blob/master/.github/workflows/build_cmake.yml @@ -63,6 +64,12 @@ jobs: # === ACTUALLY BUILD AND TEST === + - name: Initialize CodeQL Static Analysis for C++ + uses: github/codeql-action/init@v1 + with: + languages: cpp + config-file: ./.github/codeql/config.yml + - name: Build Serenity and Tests working-directory: ${{ github.workspace }}/Build run: cmake --build . -j2 @@ -76,6 +83,10 @@ jobs: working-directory: ${{ github.workspace }}/Build/Meta/Lagom run: DISABLE_DBG_OUTPUT=1 ./test-js + # Run analysis last, so contributors get lint/test feedback ASAP. + - name: Perform post build CodeQL Analysis + uses: github/codeql-action/analyze@v1 + # === NOTIFICATIONS === - name: Dump event info |